Overview

overview

10

Static

static

2e95e79eea...95.exe

windows7-x64

10

2e95e79eea...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e95e79eeac4fe2208cc3f0d0f063b8681ec9afde324d503489b42d802d61795.exe

  • Size

    192KB

  • MD5

    35061731f0dbf6ff199340479a7c524c

  • SHA1

    96007fbc2c5214b010307d116c95a9ba9ad09690

  • SHA256

    2e95e79eeac4fe2208cc3f0d0f063b8681ec9afde324d503489b42d802d61795

  • SHA512

    530b96081e10e96d857da5c5df23b35b4812ae965ef1b76016d546e63c46d640bebe20a89dac6114477cb0d49d5d8ba1674b525532e6aa6cf6ba56d3d20f1765

  • SSDEEP

    1536:CNcd2Oabfaaaaat031AdQWB5kCFrWszRUOHFlQhzyLwVKftfVBiZHAPloFp5A2mE:kOkVW3kCFrWsF2eLbqx2994sU6G

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e95e79eeac4fe2208cc3f0d0f063b8681ec9afde324d503489b42d802d61795.exe
    "C:\Users\Admin\AppData\Local\Temp\2e95e79eeac4fe2208cc3f0d0f063b8681ec9afde324d503489b42d802d61795.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Users\Admin\keusee.exe
      "C:\Users\Admin\keusee.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\keusee.exe
    Filesize

    192KB

    MD5

    cfc92f6e4c6fb0b0a6302980c335aa70

    SHA1

    018da25fad7711d8758808637beaecbb944f3c2b

    SHA256

    258a6ebb40f021de4e2c5d1bce29a269b1e31ca4925f7f7aeb668e9c7ec88edf

    SHA512

    b1585a80d21c6b806f06503e0ad695604cc246291bcf8a525aae1e31f2812bed581521970e9b11db08de622593b62344d6b6ab02a969de1b0bc50ac15e690cf7

    Download Submit
  • C:\Users\Admin\keusee.exe
    Filesize

    192KB

    MD5

    cfc92f6e4c6fb0b0a6302980c335aa70

    SHA1

    018da25fad7711d8758808637beaecbb944f3c2b

    SHA256

    258a6ebb40f021de4e2c5d1bce29a269b1e31ca4925f7f7aeb668e9c7ec88edf

    SHA512

    b1585a80d21c6b806f06503e0ad695604cc246291bcf8a525aae1e31f2812bed581521970e9b11db08de622593b62344d6b6ab02a969de1b0bc50ac15e690cf7

    Download Submit
  • memory/1744-134-0x0000000000000000-mapping.dmp
    Download